Colorado Legislators Propose New Privacy and Data Breach Law

A bipartisan group of legislators in Colorado proposed changing its privacy and data breach notification laws for state residents to have better protection. If passed, there will be significant changes in the current state laws. The proposed legislation will add the following personally identifying information (PII) to the definition of PII.

Full name or last name and initial in combination with any of the following data elements:

personal ID numbers

employment, student and military IDs

Social Security numbers

passport numbers

state ID numbers

state or government driver’s license numbers

biometric data

passwords and pass codes

health information

financial transaction devices

health insurance information

Usernames/email addresses, credit/debit card numbers and other financial account numbers are also included, should the mentioned information become compromised together with other information that permits access or use of accounts. It is not considered a breach if the PII is encrypted, unless the unauthorized person also gets the key to unlock the encryption.

The new legislation would require organizations that store the PII of state residents to implement controls that protect the privacy and confidentiality of PII. Although there is no set types of security protections, practices and procedures that is to be implemented, the requirement is to use security measures “appropriate to the nature of the PII and the nature and size of the business and its operations.”

Any entity that would like to disclose PII to a third party must tell that entity to protect and secure the PP at all times using the appropriate technology, practices and procedures. Sensitive data must be protected from unauthorized access, use, disclosure, modification or destruction.

If the entity or third party does not need the PII any longer, the PII, whether in paper or digital form, must be securely destroyed without retaining any copy. There must be a written policy covering the destruction of data. Paper records may be burned, pulped, pulverized or shredded. Electronic data must be securely deleted to avoid restoration using methods like degaussing, use of software to overwrite media, pulverization, melting, disintegration, incineration or shredding.

In case of a PII breach, the covered entity has up to 45 days from the breach discovery to issue notifications. Notifications must be issued “in the most expedient time and without unreasonable delay.” The state attorney general must receive notification of a breach that impacts over 500 persons no later than 7 days after the discovery of the breach.

Breach notification letters must include the following content:

date of the breach or an estimate if it is unknown

description of the compromised PII

information on how credit freezes and security alerts can be set

contact information

a toll-free number to contact for more information

contact details of consumer reporting agencies and the FTC

The legislation would also give the Colorado Attorney General the authority to initiate criminal investigations and legal proceedings on organizations violating the state law.